gitea-mirror/monero
1
0
Fork 0
mirror of https://github.com/monero-project/monero.git synced 2026-01-02 07:50:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

Change default SSL to "enabled" if user specifies fingerprint/certificate

Browse Source 
Currently if a user specifies a ca file or fingerprint to verify peer,
the default behavior is SSL autodetect which allows for mitm downgrade
attacks. It should be investigated whether a manual override should be
allowed - the configuration is likely always invalid.
This commit is contained in:
Lee Clagett
2019-03-13 20:01:14 -04:00
parent f18a069fcc
commit 1f5ed328aa
3 changed files with 29 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/rpc/core_rpc_server.cpp
View File

@@ -149,13 +149,6 @@ namespace cryptonote
if (rpc_config->login)
http_login.emplace(std::move(rpc_config->login->username), std::move(rpc_config->login->password).password());
epee::net_utils::ssl_support_t ssl_support;
const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
if (!epee::net_utils::ssl_support_from_string(ssl_support, ssl))
{
MFATAL("Invalid RPC SSL support: " << ssl);
return false;
}
const std::string ssl_private_key = command_line::get_arg(vm, arg_rpc_ssl_private_key);
const std::string ssl_certificate = command_line::get_arg(vm, arg_rpc_ssl_certificate);
std::string ssl_ca_path = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
@@ -165,6 +158,18 @@ namespace cryptonote
std::transform(ssl_allowed_fingerprint_strings.begin(), ssl_allowed_fingerprint_strings.end(), ssl_allowed_fingerprints.begin(), epee::from_hex::vector);
const bool ssl_allow_any_cert = command_line::get_arg(vm, arg_rpc_ssl_allow_any_cert);
// user specified CA file or fingeprints implies enabled SSL by default
epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
if ((ssl_allowed_fingerprints.empty() && ssl_ca_path.empty()) || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
{
const std::string ssl = command_line::get_arg(vm, arg_rpc_ssl);
if (!epee::net_utils::ssl_support_from_string(ssl_support, ssl))
{
MFATAL("Invalid RPC SSL support: " << ssl);
return false;
}
}
auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login),